nuxt-auth
nuxt-auth copied to clipboard
sidebase
`jti` set in `encode` is not preserved in `decode`
Environment
------------------------------
- Operating System: Darwin
- Node Version: v20.18.0
- Nuxt Version: 3.13.0
- CLI Version: 3.13.1
- Nitro Version: 2.9.7
- Package Manager: [email protected]
- Builder: -
- User Config: sourcemap, app, auth, components, colorMode, css, i18n, imports, modules, openFetch, nitro, runtimeConfig, rootDir, security, srcDir, typescript, vite, compatibilityDate
- Runtime Modules: ./src/modules/datadog-module, @nuxtjs/[email protected], @nuxtjs/[email protected], @sidebase/[email protected], @pinia/[email protected], @nuxt/[email protected], @nuxtjs/[email protected], [email protected], @nuxt/[email protected], @nuxtjs/[email protected], [email protected], @nuxt/test-utils/[email protected], [email protected]
- Build Modules: -
------------------------------
Reproduction
NuxtAuthHandler({
secret: process.env.NUXT_AUTH_SECRET,
pages: {
signIn: '/',
},
session: {
strategy: 'jwt',
maxAge: 30 * 24 * 60 * 60,
updateAge: 24 * 60 * 60,
},
jwt: {
encode: async ({ secret, token, maxAge }) => {
console.log('Encode - Original Token JTI:', token?.jti);
if (!token?.jti) {
token!.jti = randomUUID();
}
console.log('Encode - Token JTI After Generation:', token!.jti);
const encodedToken = await encode({ token, secret, maxAge });
return encodedToken;
},
decode: async ({ secret, token }) => {
const decodedToken = await decode({ token, secret });
console.log('Decode - Original Attempted JTI:', token?.jti);
console.log('Decode - Decoded Token JTI:', decodedToken?.jti);
if (decodedToken) {
console.log('Decoded Token Full Dump:', JSON.stringify(decodedToken, null, 2));
}
if (!decodedToken) return null;
return decodedToken;
},
},
callbacks: {
async jwt({ token, user, account }) {
// NOTE: Initial sign-in.
if (account && user) {
const tokenFamilyId = crypto.randomUUID();
const updatedToken = {
...token,
at: account.access_token!,
rt: account.refresh_token,
jti: token.jti,
rtf: tokenFamilyId,
exp: Math.floor(Date.now() / 1000 + (24 * 60 * 60)),
};
return updatedToken;
}
// NOTE: Return existing token if not expired
if (token.at && Date.now() < token.exp * 1000) {
return token;
}
},
},
providers: [
OktaProvider.default({
clientId: OKTA_CLIENT_ID,
clientSecret: OKTA_CLIENT_SECRET,
issuer: OKTA_ISSUER,
}),
],
});
Describe the bug
When writing custom logic to generate my own JWT, I notice that the jti returned from encode function and the jti read in the decode function are completely different.
I'm afraid there's some other middleware (or perhaps core logic) that completely modifies the jti.
Additional context
While jti changes, I tried setting a new jti2 value on the JWT, which does get preserved after decode.
Logs
Encode - Original Token JTI: b7601006-9a3d-48f6-a172-b68b2b503555
Encode - Token JTI After Generation: b7601006-9a3d-48f6-a172-b68b2b503555
Decode - Decoded Token JTI: 6aeac235-0ce7-4243-af3f-9b99578769fb
